How to Create a JWT

Creating a JWT involves defining a header with the signing algorithm, a payload with claims (sub, exp, iat, iss), and signing the encoded header+payload with a secret or private key.

Try JWT Generator

Overview

JWT creation follows three steps: construct the header (algorithm + token type), construct the payload (claims about the user and token), and sign the combined base64-encoded header and payload. The resulting token is a compact, URL-safe string sent to clients for authentication.

Prerequisites

Understanding of JWT structure (header.payload.signature)
A secret key (HS256) or RSA key pair (RS256)
A JWT generator tool (linked below)

Step-by-Step Instructions

Define the header

The header specifies the signing algorithm and token type. For most applications, use HS256 or RS256. { "alg": "HS256", "typ": "JWT" }

Add standard claims

Include required claims: sub (user ID), iat (issued at), exp (expiration time). All timestamps are Unix epoch seconds. { "sub": "user_12345", "iat": 1700000000, "exp": 1700086400, "iss": "https://api.example.com", "role": "admin" }

Set appropriate expiration

Access tokens should expire quickly (15-60 minutes). Refresh tokens can last longer (7-30 days). Never create tokens that never expire.

Sign the token

Base64URL-encode the header and payload separately, then sign the concatenated string using your chosen algorithm and secret/private key.

Common Mistakes to Avoid

Storing secrets in client-side code — JWT signing keys must be server-side only
Setting excessively long expiration times (days or years) — use short-lived access tokens with refresh tokens
Including sensitive data in the payload — the payload is base64-encoded, not encrypted
Using the 'none' algorithm — always specify a signing algorithm and validate it on the server

Frequently Asked Questions

What is the difference between HS256 and RS256?

HS256 uses a shared secret (symmetric) — same key signs and verifies. RS256 uses a private/public key pair (asymmetric) — private key signs, public key verifies. Use RS256 for production systems.

How long should a JWT be valid?

Access tokens: 15-60 minutes. Refresh tokens: 7-30 days. Short expiration limits damage from token theft while refresh tokens provide good user experience.

Step-by-Step Instructions

Define the header

The header specifies the signing algorithm and token type. For most applications, use HS256 or RS256. { "alg": "HS256", "typ": "JWT" }

Add standard claims

Set appropriate expiration

Access tokens should expire quickly (15-60 minutes). Refresh tokens can last longer (7-30 days). Never create tokens that never expire.

Sign the token

Base64URL-encode the header and payload separately, then sign the concatenated string using your chosen algorithm and secret/private key.

Common Mistakes to Avoid

Storing secrets in client-side code — JWT signing keys must be server-side only

Setting excessively long expiration times (days or years) — use short-lived access tokens with refresh tokens

Including sensitive data in the payload — the payload is base64-encoded, not encrypted

Using the 'none' algorithm — always specify a signing algorithm and validate it on the server

Frequently Asked Questions

What is the difference between HS256 and RS256?

HS256 uses a shared secret (symmetric) — same key signs and verifies. RS256 uses a private/public key pair (asymmetric) — private key signs, public key verifies. Use RS256 for production systems.

How long should a JWT be valid?

Access tokens: 15-60 minutes. Refresh tokens: 7-30 days. Short expiration limits damage from token theft while refresh tokens provide good user experience.

How to Create a JWT

Overview

Prerequisites

Step-by-Step Instructions

Define the header

Add standard claims

Set appropriate expiration

Sign the token

Common Mistakes to Avoid

Related Tools

Frequently Asked Questions

What is the difference between HS256 and RS256?

How long should a JWT be valid?

How to Create a JWT

Overview

Prerequisites

Step-by-Step Instructions

Define the header

Add standard claims

Set appropriate expiration

Sign the token

Common Mistakes to Avoid

Related Tools

Frequently Asked Questions

What is the difference between HS256 and RS256?

How long should a JWT be valid?